Windows – PowerShell Execution Policy Bypass

PowerShell Execution Policy Bypass SIEM Detection Test

The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.

How to Test PowerShell Execution Policy Bypass

Prerequisites:

• Windows Server must be using NxLog integration and properly sending logs to Blumira
• GPO Advanced Logging (Logmira) must be configured and properly sending logs to Blumira

Testing Steps:

1. Download our Blumira PowerShell Execution Policy Bypass testing script here; the file is non-threatening and is only used to demonstrate the detection
2. Open Command Prompt
3. Change to the directory that the above saved file is in.
4. Run the command PowerShell.exe PowershellTest.ps1
5. Output should resemble the following:
   
6. This detection test should trigger the finding "Potentially Malicious PowerShell Command - Event ID 4688" in your Blumira console
7. Open Powershell
8. Change to the directory that the above saved file is in.
9. Run the command .\PowershellTest.ps1
10. Output should resemble the following:
    
11. This detection test should trigger the finding "Potentially Malicious PowerShell Command - Event ID 4104" in your Blumira console

While testing your PowerShell execution policy detection is crucial, it's just one aspect of maintaining a strong security posture. Understanding your organization's complete external attack surface is equally important.

Want to discover potential security vulnerabilities across your domain before attackers do? Try the Blumira free Domain Security Assessment. It automatically scans your publicly accessible assets and provides actionable security insights in minutes. Learn more here.